# Array of supported block actions.
my @supported_actions = ("DROP", "REJECT");
-# The path to the iptables executeable.
-my $iptables = "/usr/sbin/iptables";
+# Path where the IPtables related binaries are stored.
+my $bindir = "/usr/sbin/";
+
+# Hash which contains the path to the IPtables binaries,
+# based on the used IP protocol version. IPtables is
+# designed to use different binaries for IPv4 and IPv6.
+my %binaries = (
+ "4" => "iptables",
+ "6" => "ip6tables",
+);
# The used firewall chain.
my $chain = "INPUT";
}
# Check if the given action is supported.
- my $error = &_check_action($action);
+ unless(&_check_action($action)) {
+ # Abort and return an error message.
+ return "Unsupported action: $action";
+ }
+
+ # Obtain which binary should be executed.
+ my $iptables = &_omit_binary($address);
- # Abort and return the recieved error.
- if ($error) {
- return $error;
+ # Abort if no suitable binary could be obtained.
+ unless ($iptables) {
+ return "No suitable binary found.";
}
- # Call iptables to block the given address.
+ # Call IPtables binary to block the given address.
system("$iptables --wait -A $chain -s $address -j $action");
}
sub DoUnblock ($) {
my ($address) = @_;
+ # Obtain which binary should be executed.
+ my $iptables = &_omit_binary($address);
+
+ # Abort if no suitable binary could be obtained.
+ unless($iptables) {
+ return "No suitable binary found.";
+ }
+
# Get rulepositions for the specified address.
- my @rules = &_get_rules_positions_by_address($address);
+ my @rules = &_get_rules_positions_by_address($address, $iptables);
# Loop through the rules array and drop the firewall rules.
foreach my $rule (@rules) {
#
## The DoFlush subroutine.
#
-## Call this subroutine to entirely flush the IPtables chain.
+## Call this subroutine to entirely flush the IPtables chains for each
+## supported protocol version.
#
sub DoFlush () {
- # Call iptalbes and flush the chain.
- system("$iptables --wait -F $chain");
+ # Loop through the binaries hash to flush
+ foreach my $key (keys %binaries) {
+ # Grab binary from hash and generate the absolute path
+ # to the binary.
+ my $iptables = join ("/", $bindir,$binaries{$key});
+
+ # Execute the binary if avail- and executeable.
+ if (-x $iptables) {
+ system("$iptables --wait -F $chain");
+ }
+ }
}
#
## firewall rules for a given address. Those position will be collected
## and returned in reversed order.
#
-sub _get_rules_positions_by_address ($) {
- my ($address) = @_;
+sub _get_rules_positions_by_address ($$) {
+ my ($address, $iptables) = @_;
# Array to store the rule positions.
my @rules;
## the firewall engine.
#
sub _check_action ($) {
- my $action = $_[0];
+ my $action = shift;
# Check if the recieved action is part of the supported_actions array.
foreach my $item (@supported_actions) {
# Exit the loop and return "nothing" if we found a match.
if($item eq $action) {
- return;
+ # Return "1" (True).
+ return 1;
}
}
# If we got here, the given action is not part of the array of supported
- # actions. Return an error message.
- return "Unsupported action: $action";
+ # actions. Return nothing (False).
+ return;
+}
+
+#
+## The _omit_binary function.
+#
+## This private function is responsible for selecting and returning the correct
+## IPtables binary, based on which kind of IP address has been given.
+#
+sub _omit_binary ($) {
+ my $address = shift;
+
+ # Obtain used protocol version, based on the
+ # given IP address.
+ my $proto_version = &Guardian::Base::DetectIPProtocolVersion($address);
+
+ # Abort if the protocol version could not proper be detected.
+ unless ($proto_version) {
+ # Return nothing (False).
+ return;
+ }
+
+ # Obtain which binary is responsible, based on the detected protocol version and
+ # generate the full path to it.
+ my $binary = join("/",$bindir,$binaries{$proto_version});
+
+ # Abort if the obtained binary is not avail- or executeable.
+ unless (-x $binary) {
+ # Return nothing (False).
+ return;
+ }
+
+ # Return the detected and validated binary.
+ return $binary;
}
1;